openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 21:46:22 +01:00
Code Issues Releases Activity

Added prereq to install python-yq

Browse Source
This commit is contained in:
Michael Burke
2024-10-24 15:01:31 -04:00
committed by openshift-cherrypick-robot
parent fc97e4f06c
commit ba2be4c252
1 changed files with 57 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

88
modules/checking-mco-status-certs.adoc
View File

@@ -16,6 +16,10 @@ The MCC also handles the image registry certificates and its associated user bun
You can get information about the listed certificates, including the underyling bundle the certificate comes from, and the signing and subject data.
.Prerequisites
* This procedure contains optional steps that require that the `python-yq` RPM package is installed.
.Procedure
* Get detailed certificate information by running the following command:
@@ -27,23 +31,27 @@ $ oc get controllerconfig/machine-config-controller -o yaml | yq -y '.status.con
+
.Example output
+
[source,text]
[source,yaml]
----
"controllerCertificates": [
{
"bundleFile": "KubeAPIServerServingCAData",
"signer": "<signer_data1>",
"subject": "CN=openshift-kube-apiserver-operator_node-system-admin-signer@168909215"
},
{
"bundleFile": "RootCAData",
"signer": "<signer_data2>",
"subject": "CN=root-ca,OU=openshift"
}
]
- bundleFile: KubeAPIServerServingCAData
notAfter: '2034-10-23T13:13:02Z'
notBefore: '2024-10-25T13:13:02Z'
signer: CN=admin-kubeconfig-signer,OU=openshift
subject: CN=admin-kubeconfig-signer,OU=openshift
- bundleFile: KubeAPIServerServingCAData
notAfter: '2024-10-26T13:13:05Z'
notBefore: '2024-10-25T13:27:14Z'
signer: CN=kubelet-signer,OU=openshift
subject: CN=kube-csr-signer_@1729862835
- bundleFile: KubeAPIServerServingCAData
notAfter: '2024-10-26T13:13:05Z'
notBefore: '2024-10-25T13:13:05Z'
signer: CN=kubelet-signer,OU=openshift
subject: CN=kubelet-signer,OU=openshift
# ...
----
* Get a simpler version of the information found in the ControllerConfig by checking the machine config pool status using the following command:
* Get a simpler version of the information found in the `ControllerConfig` resource by checking the machine config pool status using the following command:
+
[source,terminal]
----
@@ -52,33 +60,51 @@ $ oc get mcp master -o yaml | yq -y '.status.certExpirys'
+
.Example output
+
[source,text]
[source,yaml]
----
status:
certExpirys:
- bundle: KubeAPIServerServingCAData
subject: CN=admin-kubeconfig-signer,OU=openshift
- bundle: KubeAPIServerServingCAData
subject: CN=kube-csr-signer_@1689585558
- bundle: KubeAPIServerServingCAData
subject: CN=kubelet-signer,OU=openshift
- bundle: KubeAPIServerServingCAData
subject: CN=kube-apiserver-to-kubelet-signer,OU=openshift
- bundle: KubeAPIServerServingCAData
subject: CN=kube-control-plane-signer,OU=openshift
- bundle: KubeAPIServerServingCAData
expiry: '2034-10-23T13:13:02Z'
subject: CN=admin-kubeconfig-signer,OU=openshift
- bundle: KubeAPIServerServingCAData
expiry: '2024-10-26T13:13:05Z'
subject: CN=kube-csr-signer_@1729862835
- bundle: KubeAPIServerServingCAData
expiry: '2024-10-26T13:13:05Z'
subject: CN=kubelet-signer,OU=openshift
- bundle: KubeAPIServerServingCAData
expiry: '2025-10-25T13:13:05Z'
subject: CN=kube-apiserver-to-kubelet-signer,OU=openshift
# ...
----
+
This method is meant for {product-title} applications that already consume machine config pool information.
* Check which image registry certificates are on the nodes by looking at the contents of the `/etc/docker/cert.d` directory:
* Check which image registry certificates are on the nodes:
+
.. Log in to a node:
+
[source,terminal]
----
# ls /etc/docker/certs.d
$ oc debug node/<node_name>
----
.. Set `/host` as the root directory within the debug shell:
+
[source,terminal]
----
sh-5.1# chroot /host
----
.. Look at the contents of the `/etc/docker/cert.d` directory:
+
[source,terminal]
----
sh-5.1# ls /etc/docker/certs.d
----
+
.Example output
[source,text]
[source,terminal]
----
image-registry.openshift-image-registry.svc.cluster.local:5000 image-registry.openshift-image-registry.svc:5000
image-registry.openshift-image-registry.svc.cluster.local:5000
image-registry.openshift-image-registry.svc:5000
----